Compliance
Chapter 30: Compliance, Auditing & Governance
Section titled “Chapter 30: Compliance, Auditing & Governance”AWS Governance & Compliance Services
Section titled “AWS Governance & Compliance Services”30.1 Overview
Section titled “30.1 Overview”AWS provides comprehensive services for compliance management, auditing, and governance to help organizations meet regulatory requirements and maintain security standards.
AWS Compliance & Governance Overview+------------------------------------------------------------------+| || +------------------------+ || | Compliance & | || | Governance | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | AWS | | AWS | | AWS | || | Audit | | Artifact | | Config | || | Manager | | | | | || | | | - Audit | | - Track | || | - Automate| | Reports| | Config | || | - Evidence| | - Comply | | - Rules | || +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+Service Comparison
Section titled “Service Comparison”| Feature | Audit Manager | Artifact | Config | CloudTrail |
|---|---|---|---|---|
| Primary Use | Audit automation | Compliance reports | Config tracking | API auditing |
| Automation | High | Low | Medium | Low |
| Evidence Collection | Yes | Yes | Yes | Yes |
| Compliance Frameworks | Multiple | Built-in | Custom | N/A |
| Pricing | Per assessment | Free | Per rule | Free/Paid |
30.2 AWS Audit Manager
Section titled “30.2 AWS Audit Manager”Audit Manager Overview
Section titled “Audit Manager Overview” AWS Audit Manager Architecture+------------------------------------------------------------------+| || +------------------------+ || | AWS Audit Manager | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Frameworks| | Controls | | Evidence | || | | | | | | || | - Prebuilt| | - Custom | | - Auto | || | - Custom | | - Managed| | Collect| || | - Import | | - Inherit| | - Manual | || +----------+ +----------+ +----------+ || | | | || v v v || +----------------------------------------------------------+ || | Assessments | || | - Compliance status | || | - Evidence reports | || | - Remediation tracking | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Prebuilt Frameworks
Section titled “Prebuilt Frameworks” Audit Manager Prebuilt Frameworks+------------------------------------------------------------------+| || Compliance Frameworks || +------------------------------------------------------------+ || | | || | - CIS AWS Foundations Benchmark v1.4 | || | - CIS AWS Foundations Benchmark v1.5 | || | - PCI DSS v3.2.1 | || | - PCI DSS v4.0 | || | - NIST SP 800-53 Rev. 5 | || | - SOC 2 | || | - HIPAA | || | - GDPR | || | - ISO 27001 | || | - FedRAMP | || | - AWS Well-Architected Framework | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Control Types
Section titled “Control Types” Audit Manager Control Types+------------------------------------------------------------------+| || Automated Controls || +------------------------------------------------------------+ || | | || | Data Sources: | || | +------------------------------------------------------+ | || | | - AWS Config | | || | | - AWS Security Hub | | || | | - AWS CloudTrail | | || | | - Amazon S3 | | || | | - AWS IAM | | || | +------------------------------------------------------+ | || | | || | Evidence Collection: | || | +------------------------------------------------------+ | || | | - Automatic data gathering | | || | | - Continuous monitoring | | || | | - Real-time updates | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || || Manual Controls || +------------------------------------------------------------+ || | | || | Evidence Types: | || | +------------------------------------------------------+ | || | | - Document uploads | | || | | - Screenshots | | || | | - Text descriptions | | || | | - External links | | || | +------------------------------------------------------+ | || | | || | Use Cases: | || | +------------------------------------------------------+ | || | | - Policy attestations | | || | | - Process documentation | | || | | - Third-party certifications | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Assessment Workflow
Section titled “Assessment Workflow” Audit Manager Assessment Workflow+------------------------------------------------------------------+| || 1. Create Assessment || +------------------------------------------------------------+ || | - Select framework | || | - Define scope (accounts, regions) | || | - Set assessment period | || +------------------------------------------------------------+ || | || v || 2. Collect Evidence || +------------------------------------------------------------+ || | - Automated collection from data sources | || | - Manual evidence upload | || | - Continuous updates | || +------------------------------------------------------------+ || | || v || 3. Review Findings || +------------------------------------------------------------+ || | - Analyze compliance status | || | - Identify gaps | || | - Document exceptions | || +------------------------------------------------------------+ || | || v || 4. Generate Report || +------------------------------------------------------------+ || | - Create assessment report | || | - Export to stakeholders | || | - Archive for audit trail | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Audit Manager CLI Commands
Section titled “Audit Manager CLI Commands”# Create assessmentaws auditmanager create-assessment \ --name "My Compliance Assessment" \ --description "Annual compliance review" \ --assessment-reports-destination '{"destinationType":"S3","destination":"s3://my-bucket/reports"}' \ --scope '{"awsAccounts":[{"id":"123456789012"}],"awsServices":[]}' \ --roles '{"roleType":"PROCESS_OWNER","roleArn":"arn:aws:iam::..."}'
# List assessmentsaws auditmanager list-assessments
# Get assessmentaws auditmanager get-assessment \ --assessment-id "abc-123"
# Create controlaws auditmanager create-control \ --name "My Control" \ --description "Custom security control" \ --testingInstructions "Verify encryption is enabled" \ --control-mapping-sources '[{"sourceId":"aws-config","sourceSetUpOption":"System_Controls","sourceKeyword":{"keywordInputType":"SELECT_FROM_LIST","keywordValue":"S3_BUCKET_ENCRYPTION_ENABLED"}}]'
# List controlsaws auditmanager list-controls \ --control-type "Custom"
# Get evidenceaws auditmanager get-evidence \ --assessment-id "abc-123" \ --evidence-folder-id "folder-123" \ --evidence-id "evidence-123"
# Create assessment reportaws auditmanager create-assessment-report \ --assessment-id "abc-123" \ --name "Q1 Compliance Report"30.3 AWS Artifact
Section titled “30.3 AWS Artifact”Artifact Overview
Section titled “Artifact Overview” AWS Artifact Architecture+------------------------------------------------------------------+| || +------------------------+ || | AWS Artifact | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Audit | | Compliance| | Agreements| || | Reports | | Reports | | | || | | | | | | || | - SOC | | - ISO | | - BAA | || | - PCI | | - FedRAMP | | - DPA | || | - Other | | - Others | | - Others | || +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+Available Reports
Section titled “Available Reports” AWS Artifact Reports+------------------------------------------------------------------+| || Audit Reports || +------------------------------------------------------------+ || | | || | SOC Reports: | || | +------------------------------------------------------+ | || | | - SOC 1 Type II (SSAE 18) | | || | | - SOC 2 Type II | | || | | - SOC 3 | | || | +------------------------------------------------------+ | || | | || | PCI DSS: | || | +------------------------------------------------------+ | || | | - PCI DSS Attestation of Compliance (AOC) | | || | | - PCI DSS Report on Compliance (ROC) | | || | +------------------------------------------------------+ | || | | || | ISO Certifications: | || | +------------------------------------------------------+ | || | | - ISO 27001 | | || | | - ISO 27017 (Cloud Security) | | || | | - ISO 27018 (Privacy) | | || | | - ISO 9001 (Quality) | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || || Government Certifications || +------------------------------------------------------------+ || | - FedRAMP (Federal Risk and Authorization Management) | || | - DoD SRG (Department of Defense) | || | - IRAP (Australian Government) | || | - MTCS (Singapore Government) | || | - C5 (German Government) | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Agreement Types
Section titled “Agreement Types” AWS Artifact Agreements+------------------------------------------------------------------+| || Business Associate Agreement (BAA) || +------------------------------------------------------------+ || | - Required for HIPAA compliance | || | - Covers protected health information (PHI) | || | - Must be accepted before processing PHI | || +------------------------------------------------------------+ || || Data Processing Agreement (DPA) || +------------------------------------------------------------+ || | - GDPR compliance | || | - Data processing terms | || | - EU data protection requirements | || +------------------------------------------------------------+ || || Service Terms || +------------------------------------------------------------+ || | - Service-specific terms | || | - Usage restrictions | || | - Compliance requirements | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+30.4 AWS Config
Section titled “30.4 AWS Config”Config Overview
Section titled “Config Overview” AWS Config Architecture+------------------------------------------------------------------+| || +------------------------+ || | AWS Config | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Config | | Config | | Config | || | Recorder | | Rules | | Aggregator || | | | | | | || | - Record | | - Managed| | - Multi | || | Changes| | - Custom | | Account| || | - Track | | - Remediate| | - Central| || +----------+ +----------+ +----------+ || | | | || v v v || +----------------------------------------------------------+ || | Configuration Items | || | - Resource history | || | - Relationships | || | - Compliance status | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Config Rules
Section titled “Config Rules” AWS Config Rules+------------------------------------------------------------------+| || Managed Rules (AWS Provided) || +------------------------------------------------------------+ || | | || | Security Rules: | || | +------------------------------------------------------+ | || | | - S3_BUCKET_ENCRYPTION_ENABLED | | || | | - S3_BUCKET_PUBLIC_READ_PROHIBITED | | || | | - EBS_ENCRYPTION_ENABLED | | || | | - RDS_ENCRYPTION_ENABLED | | || | | - IAM_PASSWORD_POLICY | | || | | - ROOT_ACCOUNT_MFA_ENABLED | | || | +------------------------------------------------------+ | || | | || | Network Rules: | || | +------------------------------------------------------+ | || | | - VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS | | || | | - INCOMING_SSH_DISABLED | | || | | - RESTRICTED_INCOMING_TRAFFIC | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || || Custom Rules (Lambda-based) || +------------------------------------------------------------+ || | | || | Use Cases: | || | +------------------------------------------------------+ | || | | - Organization-specific requirements | | || | | - Complex compliance checks | | || | | - Cross-resource validation | | || | +------------------------------------------------------+ | || | | || | Example: | || | +------------------------------------------------------+ | || | | - Check if all EC2 instances have required tags | | || | | - Validate security group naming conventions | | || | | - Ensure specific IAM policies are attached | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Config Remediation
Section titled “Config Remediation” AWS Config Remediation+------------------------------------------------------------------+| || Automatic Remediation || +------------------------------------------------------------+ || | | || | Workflow: | || | +------------------------------------------------------+ | || | | 1. Config rule detects non-compliance | | || | | 2. Remediation action triggered | | || | | 3. SSM Automation document executes | | || | | 4. Resource remediated | | || | | 5. Config re-evaluates rule | | || | +------------------------------------------------------+ | || | | || | Built-in Remediation Actions: | || | +------------------------------------------------------+ | || | | - AWS-EnableS3BucketEncryption | | || | | - AWS-DisableS3BucketPublicRead | | || | | - AWS-EnableEBSVolumeEncryption | | || | | - AWS-AttachIAMPolicy | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || || Manual Remediation || +------------------------------------------------------------+ || | - Notification via SNS | || | - Manual review and action | || | - Documentation of remediation | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Config CLI Commands
Section titled “Config CLI Commands”# Start configuration recorderaws configservice start-configuration-recorder \ --configuration-recorder-name default
# Put configuration recorderaws configservice put-configuration-recorder \ --configuration-recorder '{"name":"default","roleARN":"arn:aws:iam::...","recordingGroup":{"allSupported":true,"includeGlobalResourceTypes":true}}'
# Put delivery channelaws configservice put-delivery-channel \ --delivery-channel '{"name":"default","s3BucketName":"my-config-bucket","snsTopicARN":"arn:aws:sns:..."}'
# List config rulesaws configservice describe-config-rules
# Get compliance detailsaws configservice get-compliance-details-by-config-rule \ --config-rule-name "S3_BUCKET_ENCRYPTION_ENABLED"
# Get resource config historyaws configservice get-resource-config-history \ --resource-type AWS::EC2::Instance \ --resource-id i-1234567890abcdef0
# Put config ruleaws configservice put-config-rule \ --config-rule '{"ConfigRuleName":"MyRule","Source":{"Owner":"AWS","SourceIdentifier":"S3_BUCKET_ENCRYPTION_ENABLED"}}'
# Put remediation configurationaws configservice put-remediation-configurations \ --remediation-configurations '{"ConfigRuleName":"S3_BUCKET_ENCRYPTION_ENABLED","TargetId":"AWS-EnableS3BucketEncryption","TargetType":"SSM_DOCUMENT","Parameters":{"AutomationAssumeRole":{"StaticValue":{"Values":["arn:aws:iam::..."]}},"BucketName":{"ResourceValue":{"Value":"RESOURCE_ID"}}}}}'
# Select aggregate resourcesaws configservice select-aggregate-resource-config \ --expression "SELECT resourceId, resourceName, resourceType WHERE resourceType = 'AWS::EC2::Instance'" \ --configuration-aggregator-name my-aggregator30.5 AWS CloudTrail
Section titled “30.5 AWS CloudTrail”CloudTrail Overview
Section titled “CloudTrail Overview” AWS CloudTrail Architecture+------------------------------------------------------------------+| || +------------------------+ || | AWS CloudTrail | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Management| | Data | | Insights | || | Events | | Events | | | || | | | | | | || | - Control | | - S3 | | - Anomaly| || | Plane | | - Lambda | | - Detect | || | - API | | - DynamoDB| | - Alert | || | Calls | | | | | || +----------+ +----------+ +----------+ || | | | || v v v || +----------------------------------------------------------+ || | S3 Bucket (Log Storage) | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+CloudTrail Event Types
Section titled “CloudTrail Event Types” CloudTrail Event Types+------------------------------------------------------------------+| || Management Events || +------------------------------------------------------------+ || | | || | Control Plane Operations: | || | +------------------------------------------------------+ | || | | - Creating/deleting resources | | || | | - Modifying configurations | | || | | - IAM operations | | || | | - Security group changes | | || | +------------------------------------------------------+ | || | | || | Examples: | || | +------------------------------------------------------+ | || | | - EC2: RunInstances, TerminateInstances | | || | | - S3: CreateBucket, DeleteBucket | | || | | - IAM: CreateUser, AttachRolePolicy | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || || Data Events || +------------------------------------------------------------+ || | | || | Data Plane Operations: | || | +------------------------------------------------------+ | || | | - S3 object-level operations | | || | | - Lambda function invocations | | || | | - DynamoDB table operations | | || | +------------------------------------------------------+ | || | | || | Examples: | || | +------------------------------------------------------+ | || | | - S3: GetObject, PutObject, DeleteObject | | || | | - Lambda: Invoke | | || | | - DynamoDB: GetItem, PutItem | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || || Insights Events || +------------------------------------------------------------+ || | | || | Anomaly Detection: | || | +------------------------------------------------------+ | || | | - Unusual API call volume | | || | | - Suspicious activity patterns | | || | | - Potential security issues | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+CloudTrail Log Structure
Section titled “CloudTrail Log Structure” CloudTrail Log Structure+------------------------------------------------------------------+| || { || "Records": [{ || "eventVersion": "1.08", || "userIdentity": { || "type": "IAMUser", || "principalId": "AIDACKCEVSQ6C2EXAMPLE", || "arn": "arn:aws:iam::123456789012:user/alice", || "accountId": "123456789012", || "accessKeyId": "AKIAIOSFODNN7EXAMPLE", || "userName": "alice" || }, || "eventTime": "2024-01-15T12:00:00Z", || "eventSource": "ec2.amazonaws.com", || "eventName": "StartInstances", || "awsRegion": "us-east-1", || "sourceIPAddress": "192.0.2.1", || "userAgent": "aws-cli/2.0.0", || "requestParameters": { || "instancesSet": { || "items": [{"instanceId": "i-1234567890abcdef0"}] || } || }, || "responseElements": { || "instancesSet": { || "items": [{ || "instanceId": "i-1234567890abcdef0", || "currentState": {"code": 0, "name": "pending"}, || "previousState": {"code": 80, "name": "stopped"} || }] || } || }, || "resources": [{ || "ARN": "arn:aws:ec2:us-east-1:123456789012:instance/...", || "type": "AWS::EC2::Instance" || }], || "eventType": "AwsApiCall", || "recipientAccountId": "123456789012" || }] || } || |+------------------------------------------------------------------+CloudTrail CLI Commands
Section titled “CloudTrail CLI Commands”# Create trailaws cloudtrail create-trail \ --name my-trail \ --s3-bucket-name my-cloudtrail-logs \ --include-global-service-events \ --is-multi-region-trail
# Start loggingaws cloudtrail start-logging \ --name my-trail
# Get trail statusaws cloudtrail get-trail-status \ --name my-trail
# List trailsaws cloudtrail describe-trails
# Get event selectorsaws cloudtrail get-event-selectors \ --trail-name my-trail
# Put event selectors (for data events)aws cloudtrail put-event-selectors \ --trail-name my-trail \ --event-selectors '[{"ReadWriteType":"All","IncludeManagementEvents":true,"DataResources":[{"Type":"AWS::S3::Object","Values":["arn:aws:s3:::my-bucket/"]}]}]'
# Look up eventsaws cloudtrail lookup-events \ --lookup-attributes AttributeKey=Username,AttributeValue=alice \ --start-time 2024-01-01T00:00:00Z \ --end-time 2024-01-31T23:59:59Z
# Enable insightsaws cloudtrail put-insight-selectors \ --trail-name my-trail \ --insight-selectors '[{"InsightType":"ApiCallRateInsight"}]'30.6 Additional Governance Services
Section titled “30.6 Additional Governance Services”AWS Trusted Advisor
Section titled “AWS Trusted Advisor” AWS Trusted Advisor Categories+------------------------------------------------------------------+| || Cost Optimization || +------------------------------------------------------------+ || | - Idle resources | || | - Unassociated Elastic IP addresses | || | - Underutilized EBS volumes | || | - Reserved Instance recommendations | || +------------------------------------------------------------+ || || Security || +------------------------------------------------------------+ || | - MFA on root account | || | - Security group settings | || | - IAM password policy | || | - SSL certificate expiration | || +------------------------------------------------------------+ || || Fault Tolerance || +------------------------------------------------------------+ || | - Auto Scaling health checks | || | - Multi-AZ RDS deployments | || | - Load balancer health checks | || | - VPC VPN tunnel redundancy | || +------------------------------------------------------------+ || || Performance || +------------------------------------------------------------+ || | - High utilization EC2 instances | || | - EBS volume performance | || | - CloudFront optimization | || +------------------------------------------------------------+ || || Service Limits || +------------------------------------------------------------+ || | - Resource limit monitoring | || | - Usage percentage alerts | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+AWS Well-Architected Tool
Section titled “AWS Well-Architected Tool” AWS Well-Architected Tool+------------------------------------------------------------------+| || Pillars || +------------------------------------------------------------+ || | | || | 1. Operational Excellence | || | - Run and monitor systems | || | - Continuous improvement | || | | || | 2. Security | || | - Protect data and systems | || | - Risk assessment | || | | || | 3. Reliability | || | - Recovery from failures | || | - Mitigate disruptions | || | | || | 4. Performance Efficiency | || | - Efficient resource utilization | || | - Scalability | || | | || | 5. Cost Optimization | || | - Avoid unnecessary costs | || | - Resource optimization | || | | || | 6. Sustainability | || | - Environmental impact | || | - Resource efficiency | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+30.7 Compliance Best Practices
Section titled “30.7 Compliance Best Practices”Multi-Account Compliance
Section titled “Multi-Account Compliance” Multi-Account Compliance Strategy+------------------------------------------------------------------+| || Organization-Level Controls || +------------------------------------------------------------+ || | | || | +------------------+ +------------------+ | || | | AWS Config | | Security Hub | | || | | Aggregator | | Aggregator | | || | +------------------+ +------------------+ | || | | | | || | +-----------+-----------+ | || | | | || | v | || | +--------------------------------------------------------+ | || | | Management Account | | || | | - Central compliance dashboard | | || | | - Cross-account reporting | | || | | - Organization-wide policies | | || | +--------------------------------------------------------+ | || | | | || | +---------------+---------------+ | || | | | | | || | v v v | || | +--------+ +--------+ +--------+ | || | | Prod | | Dev | | Security| | || | | Account| | Account| | Account| | || | +--------+ +--------+ +--------+ | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Compliance Checklist
Section titled “Compliance Checklist” Compliance Implementation Checklist+------------------------------------------------------------------+| || Logging & Monitoring || +------------------------------------------------------------+ || | [ ] CloudTrail enabled in all regions | || | [ ] CloudTrail data events for sensitive resources | || | [ ] CloudTrail logs encrypted and validated | || | [ ] Config enabled for all resources | || | [ ] CloudWatch alarms for security events | || +------------------------------------------------------------+ || || Access Control || +------------------------------------------------------------+ || | [ ] MFA enabled for all IAM users | || | [ ] Root account MFA enabled | || | [ ] Root account access keys removed | || | [ ] IAM password policy enforced | || | [ ] Least privilege access implemented | || +------------------------------------------------------------+ || || Data Protection || +------------------------------------------------------------+ || | [ ] S3 bucket encryption enabled | || | [ ] EBS volume encryption enabled | || | [ ] RDS encryption enabled | || | [ ] KMS keys rotated | || | [ ] Secrets encrypted in transit and at rest | || +------------------------------------------------------------+ || || Network Security || +------------------------------------------------------------+ || | [ ] VPC flow logs enabled | || | [ ] Security groups restricted | || | [ ] Network ACLs configured | || | [ ] WAF enabled for web applications | || | [ ] Shield Advanced for critical apps | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+30.8 Exam Tips
Section titled “30.8 Exam Tips”
Key Exam Points+------------------------------------------------------------------+| || 1. Audit Manager automates evidence collection for audits || || 2. Artifact provides compliance reports (SOC, PCI, ISO, etc.) || || 3. Config tracks resource configuration changes || || 4. Config rules can be managed or custom (Lambda) || || 5. Config remediation uses SSM Automation documents || || 6. CloudTrail logs API calls (management and data events) || || 7. CloudTrail Insights detects anomalous API activity || || 8. Trusted Advisor provides optimization recommendations || || 9. Well-Architected Tool has 6 pillars || || 10. Config aggregator enables multi-account compliance || |+------------------------------------------------------------------+30.9 Summary
Section titled “30.9 Summary” Chapter 30 Summary+------------------------------------------------------------------+| || AWS Audit Manager || +------------------------------------------------------------+ || | - Automated audit evidence collection | || | - Prebuilt compliance frameworks | || | - Custom controls and assessments | || | - Assessment reports | || +------------------------------------------------------------+ || || AWS Artifact || +------------------------------------------------------------+ || | - Compliance reports (SOC, PCI, ISO) | || | - Agreements (BAA, DPA) | || | - Self-service access | || +------------------------------------------------------------+ || || AWS Config || +------------------------------------------------------------+ || | - Resource configuration tracking | || | - Compliance rules | || | - Automated remediation | || | - Multi-account aggregation | || +------------------------------------------------------------+ || || AWS CloudTrail || +------------------------------------------------------------+ || | - API call logging | || | - Management and data events | || | - Insights for anomaly detection | || | - Cross-account trails | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Previous Chapter: Chapter 29: AWS Security Hub & Detective Next Part: Part 7: DevOps & Developer Tools